RT @AikidoSecurity: Das Löschen eines Google-API-Schlüssels widerruft ihn nicht sofort. Unsere Forschung ergab erfolgreiche Authentifizierungen bis zu 23 Minuten nach der Löschung über die Google-Infrastruktur. In diesem Zeitraum können Angreifer mit einem geleakten Schlüssel weiterhin auf aktivierte APIs, einschließlich Gemini, zugreifen. Google hat unseren Bericht als „nicht behoben“ geschlossen.

mehr auf Arint.info

#APIKeys #Cybersecurity #DataProtection #Gemini #GoogleAPI #TechNews #arint_info

https://x.com/AikidoSecurity/status/2057451447881486837#m

1Password secures coding agents with new OpenAI Codex integration

https://fed.brid.gy/r/https://nerds.xyz/2026/05/1password-openai-codex-security/

AI Leak Watch: 435,608 potential AI API key matches in public GitHub code

GitHub 공개 저장소에서 435,608건의 잠재적 AI API 키 노출 사례가 발견되어 보안 위험이 커지고 있습니다. 이 중 일부는 테스트용이거나 폐기된 키일 수 있으나, 활성 키가 악용되면 API 호출 남용 및 비용 발생 위험이 있습니다. AI 개발 시 API 키를 코드에 하드코딩하지 말고 환경 변수나 시크릿 매니저를 활용하는 등 적절한 비밀 관리가 필수적입니다. ASH, TruffleHog 같은 도구를 이용한 자동화된 비밀 탐지 및 보안 점검이 권장됩니다.

https://ai-keys-leaks.begimher.com/

#security #apikeys #github #secretmanagement #aidevelopment

Google Cloud's Vertex AI: A Hub for Generative AI Development Navigates API Access and Integration

Google Vertex AI users get 403 errors. Learn how to fix API key and service account permissions for Gemini and other AI models.

#VertexAI, #GoogleCloud, #APIKeys, #GenerativeAI, #IAM

https://newsletter.tf/google-vertex-ai-api-key-permission-errors/

Google Vertex AI is making it easier to build AI, but many users are hitting a wall with API key errors. This is a common problem for developers.

#VertexAI, #GoogleCloud, #APIKeys, #GenerativeAI, #IAM
https://newsletter.tf/google-vertex-ai-api-key-permission-errors/

The Register: Google users fight for refunds as unauthorized API usage bills soar. “Several Google Cloud customers say their API keys have been compromised and used by bad actors to run inferencing workloads using the most expensive video and picture models, leaving them with bills for tens of thousands of dollars and weeks of back-and-forth headaches with the Chocolate Factory as they tried to […]

My adventure in designing API keys

https://vjay15.github.io/blog/apikeys/

#HackerNews #APIkeys #Adventure #Coding #Design #TechBlog

🚀 New Talk Confirmed for BSides Luxembourg 2026!

Leaky API Keys, Log Tampering, and Account Takeover – Aleksa Zatezalo

Modern cloud systems are highly secure in isolation, but real-world risk emerges at the seams — where services integrate. This talk explores how seemingly minor misconfigurations in logging pipelines, API integrations, and third-party services can quietly escalate into high-impact security breaches.

Through three real-world inspired vulnerability scenarios, the session demonstrates how leaked API keys from client-side logs, misconfigured S3 uploads, and insecure integrations (such as Supabase and financial data pipelines) can be chained into account takeover paths. The focus is on understanding the underlying anti-patterns rather than isolated bugs.

Attendees will leave with a structured framework to identify these cross-service weaknesses and practical remediation strategies that go beyond patching symptoms — targeting the architectural root causes that enable entire classes of exploitation.

Aleksa Zatezalo is a security engineer and software developer with experience in cloud security consulting, offensive security tooling, and contributions to Metasploit. He currently works at Praetorian and is OSCP-certified, pursuing OSCE3, with a strong focus on applied offensive security research.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
📅 Schedule: https://pretalx.com/bsidesluxembourg-2026/schedule/

📱 Want an easy way to follow the schedule?
Use Hacker Tracker: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #CloudSecurity #APIKeys #AccountTakeover #DevSecOps #CyberSecurity